Closed Bug 419846 (CVE-2008-2802) Opened 17 years ago Closed 17 years ago

Non-chrome XUL documents can load chrome scripts from the fastload file

Categories

(Core :: Security, defect, P2)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: jst)

References

Details

(Keywords: testcase, verified1.8.1.15, Whiteboard: [sg:critical])

Attachments

(2 files)

Fix.
1.09 KB, patch
enndeakin
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
1.8 branch fix.
1018 bytes, patch
dveditz
: approval1.8.1.15+
asac
: approval1.8.0.next+
Details | Diff | Splinter Review
Without using overlay, non-chrome XUL documents can load chrome scripts from the fastload file by using <script> elements. This is exploitable in the same way as bug 390813.
I suggest we prevent loading chrome .js from content.
(In reply to comment #1) > Created an attachment (id=306012) [details] > testcase I can't reproduce with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13pre) Gecko/20080223 BonEcho/2.0.0.13pre , for some reason.
Flags: blocking1.9?
Flags: blocking1.8.1.13?
OS: Windows XP → All
Hardware: PC → All
Whiteboard: [sg:critical]
I can reproduce on windows in both 2.0.0.12 release and a 20080227 2.0.0.13pre nightly. Would be interesting to see if there's some good reason why it's WFM for gavin. Was it a debug build? Do we disable caching in debug builds perhaps?
No, I can reproduce in a debug branch build, too.
Who should get this one? On the trunk this will be fixed by bug 292789; can we get away with that on the branch or will that break too many extensions? We can always pull the 2.0.1.x lever--that's what it's there for--but the pain of that might be worse than the original breakage.
Assignee: dveditz → nobody
Depends on: 292789
Flags: wanted1.8.1.x+
> or will that break too many extensions? Can we get an AMO scan to answer that question?
Flags: blocking1.8.1.13? → blocking1.8.1.13+
(In reply to comment #4) > Would be interesting to see if there's some good reason why it's WFM for gavin. Not sure. Seems to trigger: Error: uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMLocation.href]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: chrome://global/content/nsDragAndDrop.js :: <TOP_LEVEL> :: line 540" data: no] This was with the latest branch nightly on Windows. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13pre) Gecko/20080227 BonEcho/2.0.0.13pre
Flags: tracking1.9? → blocking1.9?
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
Assignee: nobody → jst
Flags: blocking1.8.1.13+ → blocking1.8.1.14+
Attached patch Fix.Splinter Review
I really don't know much about how our XUL prototype and fastload code works, so this could be way off. This fix essentially stops us from using the fastload cache for chrome scripts loaded from a non-chrome XUL document, and loading the scripts again in this case. The XUL prototype cache appears to be set up to not cache scripts loaded by a non-chrome XUL document already. The second part of this diff is what really fixes this bug, I'm not sure if the first check is necessary, but it seemed like the right thing to do.
Attachment #308770 - Flags: superreview?(bzbarsky)
Attachment #308770 - Flags: review?
Comment on attachment 308770 [details] [diff] [review] Fix. Looks reasonable at first glance...
Attachment #308770 - Flags: superreview?(bzbarsky) → superreview+
Attachment #308770 - Flags: review? → review?(enndeakin)
Attachment #308770 - Flags: review?(enndeakin) → review+
Fix checked in.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Attached patch 1.8 branch fix.Splinter Review
Attachment #323625 - Flags: approval1.8.1.15?
Comment on attachment 323625 [details] [diff] [review] 1.8 branch fix. Approved for 1.8.1.15, a=dveditz for release-drivers
Attachment #323625 - Flags: approval1.8.1.15? → approval1.8.1.15+
Keywords: fixed1.8.1.15
Verified bug reproduction with 2.0.0.14 and the fix for 2.0.0.15 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15pre) Gecko/2008061005 BonEcho/2.0.0.15pre.
Keywords: fixed1.8.1.15verified1.8.1.15
Alias: CVE-2008-2802
Group: security
>I suggest we prevent loading chrome .js from content. agreed. i suggest killing 'chrome:' AND 'resource:' for all remote content including from xul overlays/bindings/styles. sure some web developers will whine and cry, but they'll get over it.
georgi, that's already been done except for chrome packages that explicitly say they want to be linkable to from web content.
Version: unspecified → Trunk
>that's already been done except for chrome packages that explicitly say >they want to be linkable to from web content <div style="-moz-binding: url('chrome://global/content')">div</div> XML Parsing Error: no element found Location: jar:file:///opt/firefox-central/src/fb-opt-static/dist/bin/chrome/toolkit.jar!/content/global/global.xul Line Number 1, Column 1:
<div style="-moz-binding: url('chrome://browser/locale/netError.dtd')">div</div> XML Parsing Error: syntax error Location: jar:file:///opt/joro/firefox-central/src/fb-opt-static/dist/bin/chrome/en-US.jar!/locale/browser/netError.dtd Line Number 1, Column 1: <!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd"> ^ ###!!! ASSERTION: An XBL file is malformed. Did you forget the XBL namespace on the bindings tag?: 'Error', file /opt/joro/firefox-central/src/content/xbl/src/nsXBLService.cpp, line 1051
remote xbl loading chrome uris is Bug 443400
georgi, the browser and global packages DO explicitly allow linking to them. Please read comment 16 again?
Comment on attachment 323625 [details] [diff] [review] 1.8 branch fix. a=asac for 1.8.0 branch
Attachment #323625 - Flags: approval1.8.0.next+
Flags: blocking1.8.0.next+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: